Treating data flows differently based on level of interest

What is claimed is: 1. A method for a cyber threat defense system to differentiate between data flows, comprising: registering, at a traffic manager module of the cyber threat defense system, a connection between one or more devices within a client network to transfer a series of one or more data packets; executing a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense system in the connection; applying an interest classifier describing the interest level to the connection based on the comparison; passing the one or more data packets of the connection to a deep packet inspection engine for further examination for cyber threats if the interest classifier indicates interest; shunting the one or more data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest; identifying a dropped packet in a passthrough connection being processed by the deep packet inspection engine; and shunting the passthrough connection with the dropped packet away from the deep packet inspection engine. 2. The method for the cyber threat defense system of claim 1 , further comprising: determining that the connection is not interesting based on the connection being at least one of a long-lived connection, unable to be decrypted within a parameter set for a first device in the client network, and within a normal connection pattern. 3. The method for the cyber threat defense system of claim 1 , further comprising: monitoring at least one of a connection length and a payload size for a shunted connection. 4. The method for the cyber threat defense system of claim 1 , further comprising: collecting a set of packet metadata for a shunted connection. 5. The method for the cyber threat defense system of claim 1 , further comprising: reconnecting a shunted connection to the deep packet inspection engine upon detection by an analyzer module of an anomalous event at a first device in the client network; and adjusting the set of interest criteria based on the anomalous event. 6. The method for the cyber threat defense system of claim 5 , further comprising: severing the connection upon detection by the analyzer module of the anomalous event at the first device in the client network. 7. The method for the cyber threat defense system of claim 6 , further comprising: retrieving data about the connection to spoof reset packets. 8. A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 1 . 9. A traffic manager module for a cyber threat defense system, comprising: a registration module stored in a non-transitory computer readable medium, the registration module is configured, when executed by a processor, to register a connection between one or more devices within a client network to transmit a series of one or more data packets; a classifier module stored in the non-transitory computer readable medium, the classifier module is configured, when executed, to compare to execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense system in the connection and to apply an interest classifier describing the interest level to the connection based on the comparison; a deep packet inspection engine stored in the non-transitory computer readable medium, the deep packet inspection engine is configured to (ii) examine the one or more data packets of the connection for cyber threats if the interest classifier indicates interest and (ii) identify a dropped packet in a passthrough connection; and a diverter stored in the non-transitory computer readable medium, the diverter is configured to shunt (i) the one or more data packets of the connection away from the deep packet inspection engine and (ii) the passthrough connection with the dropped packet away from the deep packet inspection engine. 10. The traffic manager module of claim 9 , wherein the classifier module is further configured to adjust the set of interest criteria based on a set of host parameters for the client network. 11. The traffic manager module of claim 10 , wherein the set of host parameters are at least one of storage capacity, processing capacity, and network bandwidth. 12. The traffic manager module of claim 9 , wherein the deep packet inspection engine is configured to collect a packet capture of the one or more data packets for the connection. 13. The traffic manager module of claim 12 , wherein further comprising: an offload module configured to send the packet capture to a cloud storage system. 14. The traffic manager module of claim 13 , wherein the offload module is configured to: set an expiration date for the packet capture in the cloud storage system indicating when the packet capture should be overwritten. 15. The traffic manager module of claim 4 , wherein the traffic manager module is located at least one of a host-based agent, a virtualized sensor installed on a hypervisor, a centralized physical appliance, and a centralized cloud appliance. 16. A network, comprising: at least one firewall; at least one network switch; multiple computing devices operable by users of the network; a cyber-threat coordinator-component that includes a probe module configured to collect, from one or more probes deployed to one or more network devices, input data describing network-administrated activity executed by a first network device, a cyber threat module configured to identify whether the input data correspond to a cyber threat to the network, and an analyzer module configured to flag a host-based agent for host-based traffic decryption; and a traffic manager module that includes a registration module configured to register a connection between one or more devices on the network to transfer a series of one or more data packets, a classifier module configured to execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber-threat coordinator-component in the connection and to apply an interest classifier describing the interest level to the connection based on the comparison, a deep packet inspection engine configured to at least (i) examine the one or more data packets of the connection for cyber threats if the interest classifier indicates interest and (ii) identify a dropped packet in a passthrough connection, and a diverter configured to (i) shunt the one or more data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest, (ii) shunt the passthrough connection with the dropped packet away from the deep packet inspection engine and iii) reconnect a shunted connection to the deep packet inspection engine upon detection by the analyzer module of an anomalous event at the first network device in the network. 17. The network of claim 16 , wherein the analyzer module of the cyber-threat coordinator-component is configured to determine the host-based agent warrants host-based traffic decryption based on at least one of rarity of endpoint, rarity of timing, rarity of domain, and environment. 18. The network of claim 16 , wherein the deep packet inspection engine of the host-based agent is configured to execute a decryption by at least one of receiving a private key from a third-party agent, upload